We at Trend Micro Research recently produced a short blog series on the Pushdo botnet, a botnet which excelled at staying under the radar for a considerable amount of time. Pushdo is not alone in this regard however: enter Ilomo.

Ilomo has also being active for several years now, and like Pushdo has done so without attracting too much unwanted attention from the security industry. Like Pushdo, the Ilomo threat is quite modular in nature which makes it difficult to see the actions of the overall threat. Added to this is the fact that it uses a commercial virtual machine obfuscator, significantly adding to the effort involved in reverse engineering the malware binaries.

Ilomo has two key components to its business plan. The first is good old fashioned information stealing. Ilomo injects its code into the browser and monitors the internet connection waiting for the user to connect to one of over 4,000 banking, financial or webmail sites. Not content with simply stealing the user’s credentials, Ilomo can also “piggyback” on the user’s session, transferring funds from an infected user’s account and making a mockery of the bank’s secure login system. Ilomo will also harvest all other login credentials from the machine like those for ftp, web servers, local administrators etc. These are then used to spread itself across the network and to take control of web servers online, which it will use to host new versions of the malware.

Ilomo ‘s second source of revenue is selling “anonymity as a service.” Every infected Ilomo machine acts as a proxy so that criminals can route their illegal activities through different networks and countries. In addition to hiding the criminals’ identity this proxy network is very useful for defeating another defense built into many banking sites—namely that they can only be accessed from certain countries. If a criminal needs to access a Brazilian bank, they simply use an infected Ilomo machine in Brazil to route the connection.

We have only touched on some of the high level details of Ilomo in this article, If you want to look at Ilomo in even more detail (and find out about the technical aspects we did not have time to discuss), check out our white paper:

We have been fighting clampi/ilomo for over 9 months now. We have been trying many different ways to battle the spread and repeated infections but it’s impossible to block out clampi without shutting down internet, especially since legit and even whitelisted websites are getting injected with these codes.

It’s good to see that anti-virus companies are finally paying attention to this. The white-paper lists very good information but we had to learn all these facts ourselves the hard way. Our AV company (much bigger than Trend) did not offer us very good help when we couldn’t quite identify what we were up against.

Now that clampi is open wide, the newest variants are sure to be even tougher to fight against.